Problems Using LDAP After Update

[RHOPKINS13]

My E.F.A. server was running a fairly old version (3.0.1.6), so last night I made a backup of it and ran an update. Afterwards, I haven't been able to use LDAP. Any time I try the login page locks up while trying to log in. For the record, I'm using Zentyal as my LDAP server (which I believe is using Samba4).

This worked fine originally in my conf.php:

Code: Select all

// LDAP settings
define('USE_LDAP',         true);
define('LDAP_SSL',         false); // set to true if using LDAP with SSL encryption
define('LDAP_HOST',        'xxx.xxx.xxx.xxx');
define('LDAP_PORT',        '389');
define('LDAP_DN',          'DC=mydomain,DC=com');
define('LDAP_USER',        'administrator@mydomain.com');
define('LDAP_PASS',        '**********');
define('LDAP_SITE',        'default');
// can be set to 'proxyaddresses' or 'mail'. Please refer to your LDAP system manual for the right keyword
define('LDAP_EMAIL_FIELD', 'mail');
// Microsoft Active Directory compatibility support for searches from Domain Base DN
define('LDAP_MS_AD_COMPATIBILITY', false);

Now that I've updated, it doesn't work. Here's my current conf.php:

Code: Select all

// LDAP settings
define('USE_LDAP',         true);
define('LDAP_SSL',         false); // set to true if using LDAP with SSL encryption
define('LDAP_HOST',        'xxx.xxx.xxx.xxx');
define('LDAP_PORT',        '389');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_DN',          'DC=mydomain,DC=com');
define('LDAP_USER',        'administrator@mydomain.com');
define('LDAP_PASS',        '**********');
define('LDAP_SITE',        'Default-First-Site-Name');
define('LDAP_FILTER', 'sAMAccountName=%s'); //%s will be replaced by username eg. 'mail=%', 'mail=SMTP:%s', 'sAMAccountName=%s'
// can be set to 'proxyaddresses' or 'mail'. Please refer to your LDAP system manual for the right keyword
define('LDAP_EMAIL_FIELD', 'proxyaddresses');

// The value of the LDAP_USERNAME_FIELD will be extended by LDAP_BIND_PREFIX and LDAP_BIND_SUFFIX to created the binding username.
define('LDAP_USERNAME_FIELD', 'sAMAccountName');
define('LDAP_BIND_PREFIX', '');
define('LDAP_BIND_SUFFIX', '');

// Microsoft Active Directory compatibility support for searches from Domain Base DN
define('LDAP_MS_AD_COMPATIBILITY', false);

I have probably spent three hours fiddling with these settings trying to make them work. I have:

• Disabled Modsecurity (I saw another LDAP-related thread where Modsecurity was causing problems)
• Changed LDAP_SITE. I'm not sure what this is, my original config just had 'default', I have also tried 'default-first-site-name' and 'Default-First-Site-Name' with no luck. Somewhere in Apache Active Directory Studio I saw a reference to 'Default-First-Site-Name', so that's what I've been using for now. I have no idea whether or not it's case-sensitive.
• Toggled LDAP_MS_AD_COMPATIBILITY (not sure what that does)
• Toggled LDAP_EMAIL_FIELD. I've used Apache Active Directory Studio and I can see both mail entries and proxyaddresses. There are other "otherMailbox" entries for aliases, but I was used to adding aliases manually before the update, I'm not too concerned about those. I've tried using both 'mail' and 'proxyaddresses', neither one has worked for me.
• Changed LDAP_USERNAME_FIELD. By default it was cn, but on my server that seems to be the Display Name of the user. sAMAccountName just shows the username, and userPrincipalName has the username followed by '@MYDOMAIN.COM' (in all caps). I tried changing LDAP_USERNAME_FIELD to 'userPrincipalName' and LDAP_BIND_SUFFIX to '@MYDOMAIN.COM', but this still hasn't worked.

I'm just really confused with a lot of these new fields that have been added. If somebody could assist me in diagnosing this issue I would greatly appreciate it. For now it's filtering spam fine, but I can only login as admin with LDAP disabled.

[shawniverson]

Your problem is likely here...

Code: Select all

// The value of the LDAP_USERNAME_FIELD will be extended by LDAP_BIND_PREFIX and LDAP_BIND_SUFFIX to created the binding username.
define('LDAP_USERNAME_FIELD', 'sAMAccountName');
define('LDAP_BIND_PREFIX', '');
define('LDAP_BIND_SUFFIX', '');

This is for doing a BIND to LDAP. It is used to construct the fully distinguished ldap name. Don't confuse this with the username that is entered in the login screen (believe me, I have).

You probably can do this:

Code: Select all

define('LDAP_USERNAME_FIELD', 'sAMAccountName');
define('LDAP_BIND_PREFIX', 'sAMAccountName=');
define('LDAP_BIND_SUFFIX', ',' . LDAP_DN);

[RHOPKINS13]

This is for doing a BIND to LDAP. It is used to construct the fully distinguished ldap name. Don't confuse this with the username that is entered in the login screen (believe me, I have).

In that case I'm afraid I might not be able to get this to work at all. In Zentyal's implementation, the distinct name appears to use the display name rather than the username. So, for me it's:

CN=MyFirstName MyLastName,CN=Users,DC=mydomain,DC=com

Any way of building that in the LDAP_USERNAME_FIELD? Previously I believe it was only "binding" using the administrator account I used.

[shawniverson]

Try substituting cn instead.

Code: Select all

define('LDAP_USERNAME_FIELD', 'cn');
define('LDAP_BIND_PREFIX', 'cn=');
define('LDAP_BIND_SUFFIX', ',' . LDAP_DN);

[RHOPKINS13]

Just tried it, no luck. Really wish there was a way of getting it to work like it used to.

[shawniverson]

I would suggest heading over to https://github.com/mailwatch/MailWatch and opening an issue. Maybe there's something here we are missing, or there is a major bug....